Gov't Contractor Uses Copyright, Fear Of Hackers To Get Restraining Order Against Open Source Developer

from the the-same-goddamn-hammers-used-every-time dept

A recent copyright infringement (+ "threat to national security") lawsuit filed by a government contractor against its former employee highlights two terms the government frequently fears: open source and hacking.

Open source software (especially free open source software) is often portrayed by government officials as inherently unsafe to deploy. If anyone can see the source code then surely anyone can exploit it, they state. This is institutional resistance is aided greatly by companies like Microsoft who would prefer to see lucrative software licensing contracts continue indefinitely. Not that "closed source" software is any more secure, as Microsoft itself (along with Adobe) can certainly attest. But that irrational fear remains, and greatly hinders the adoption of open source software by government agencies.

Hacking is another of the government's favorite boogeymen. The oft-abused CFAA has turned exploration of software and systems into a crime. The government uses the words "hacking" and "hacker" almost exclusively to denote criminal activities and criminals. This continues long after the words have entered the mainstream to reflect positive activities. (See also: the extremely popular Lifehacker website; any number of events with the word "-hack" appended that result in extremely constructive outcomes.)

Andreas Schou brought this restraining order granted by an Idaho judge to many people's attention on Google+. (H/T to unnamed Techdirt reader for the submission.) It's an ultra-rare "no notice" restraining order that resulted from a wholly ex parte process involving only the plaintiff, government contractor Battelle Energy Alliance. The restraining order allowed Battelle to seize its former employee's computer, as well as prevent him from releasing the allegedly copied software as open source.

Schou details how he heard about the case.

Yesterday afternoon, my good friend (and former client) got a panicked call from his wife. Attorneys for the government contractor he formerly worked for had showed up at his door with some sort of order, demanding to be let in to seize his computers. While his wife was held out on the lawn by private attorneys, the contractor's counsel tried to call in the sheriff to -- I guess -- break down his door.

My first thought, obviously, was: this is all some sort of misunderstanding. Because Corey [Thuen] -- who's a professional security researcher -- has worked for the government his entire career, both at the FBI and as a security researcher specializing in SCADA systems, cyberterrorism, and critical infrastructure. He's a straight-laced, church-attending guy with three kids and an admittedly strange job.

And here's what he's been accused of: threatening national security by open-sourcing a network visualization and whitelisting tool.

The arguments made in Battelle's original complaint were bought almost in their entirety by Judge B. Lynn Winmill. Battelle claims copyright infringement, citing Corey Thuen's software, Visdom, resembles its own Sophia software. As evidence of this, it offers the following:

- Thuen worked on Sophia and had access to the code. - Visdom's name is remarkably similar to Sophia. (The short version: Sophia is the goddess of wisdom. Wisdom/VISDOM.) - There's no way Thuen could have come up with his own program in such a short period of time without copying substantial amounts of Sophia's code.

Battelle also points out that Thuen's company, Southfork, made a bid to license Sophia but withdrew it a short while later, inferring that Thuen's allegedly infringing copy made licensing software an unneeded expense. (Thuen's response claims that Southfork withdrew its bid when it became apparent Battelle wasn't interested in pursuing an open source option.)

Schou points out that if Battelle had done any due diligence, it would have realized that its infringement claim -- especially the claim that Thuen couldn't have created competing software in that time frame without copying Sophia -- is just plain wrong.

Somehow, despite spending a great deal of money on a BigLaw firm and getting an unprecedented ex parte order for the seizure of critical business infrastructure, they didn't check Github. And if they had, they'd have found out that the open-source project is built in a different language, using open libraries. They'd have been able to check the code commits to look at the period the software was written in.

And they wouldn't have sued to begin with.

Thuen breaks it down even more simply in his response:

Visdom, unlike Sophia, makes heavy use of third party open source libraries to accomplish many of the tasks for which the Sophia development team had to write code ourselves. An example for illustration: as part of my work on Sophia, I created a scrollbar from scratch, which means I had to implement the click and drag behavior (along with buttons) that causes a scrollbar to do what the average user expects a scrollbar to do. Visdom, on the other hand, builds on top of other, third party components that make scrollbars inherent. In other words, on Sophia development I spent significant time creating basic components to a user interface, whereas Visdom did not require such efforts. Visdom's heavy use of open source libraries facilitated its development in a matter of several months.

As Schou states, it's also written in a completely different coding language. Battelle and its representation may think it's just a simple copy-paste job to "port" software from one language to another, but Thuen dismantles this misperception.

Visdom was written in HTML, Javascript, and Go. As previously mentioned, Sophia was written in C. Visdom is not a translation of Sophia from C to the languages in which Visdom is written. We did not have the Sophia code when we created Visdom.

Further, a program written in one programming language cannot be cut-and-pasted into another programming language. Programming languages have different lexicographical grammars. As an example, if I'm writing code in C I have to deal with memory management; I have to keep track of the resources used by my programs. Javascript has no such concept, and any C code that does these functions would be impossible to translate into Javascript. Further, Javascript is an interpreted language and C is a compiled language. In other words, C creates software that runs on hardware, whereas Javascript creates software that runs in programs that run on hardware.

No two programmers who translate from one language to another, or from C to Javascript in particular, would produce the same output for any complex program. Those two languages, and their paradigms, are incompatible. A program written in C will inherently solve the problem to which it is directed in a different way than a program directed at the same problem but written in Javascript.

In developing Visdom, I specifically avoided any code, modules, sequences, routines, structures, screenshots, or any other materials that may have constituted some part of Sophia, based on my knowledge of Sophia as of the end of my access to it on or about August 2, 2012. Visdom is intended to solve the same problems as Sophia, but it is not a copy of Sophia, just as an electric car is not a copy of a gas-powered car simply because both are used for the same purpose.

What the judge determined to be "adequate circumstantial evidence" to justify ordering a no-notice restraining order (which included the seizure of Thuen's computer -- because he's a "hacker" -- more on that in a bit) completely falls apart when confronted with technical knowledge and observable facts.

Thuen's project is still listed at github where anyone can view related information, including development time, commits and, most importantly, the source code itself, where anyone with the technical knowledge would have seen that a) it pulled from other sources to speed production and b) is written in a completely different language.

Unfortunately, Battelle also abused the term "hacking" to justify the seizure of Thuen's computer without notice. Its arguments in the original complaint quotes one of its own employees in support of its "if we notify him, he'll just wipe the hard drive" theory. The court cites this in its justification of the ex parte restraining order

[B]attelle asserts that defendants are likely to wipe the hard drives on Thuen's computer, thus destroying direct evidence of wrongdoing. Battelle suggests that either of these actions would render further prosecution of the lawsuit fruitless...

The Court finds it significant that defendants are self-described hackers, who say, "We like hacking things and we don't want to stop."

A well-known characteristic of hackers is that they cover their tracks… This makes it likely that defendant Thuen will delete material on the hard drive of his computer that could be relevant to this case...

The Court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy, as the discussion of the case law above demonstrates. The tipping point for the Court comes from evidence that the defendants - in their own words - are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. And concealment likely involves the destruction of evidence on the hard drive of Thuen's computer. For these reasons, the Court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.

Your customers love you and you gain a little bit more peace of mind. We wouldn't mind bringing your people in to participate and see first-hand how an attacker views your system. We'd love to train ourselves out of a job.

Southfork will test system security when hired by a company specifically for that purpose. Battelle's filing attempts to spin Southfork's technical knowledge into a purely evil thing. According to Battelle, hackers are always adversaries, even when the company's own front page statement proclaims otherwise. Just because the knowledge is there doesn't mean it will only be deployed to cause damage. Thuen's response points out the flaw in this reasoning.

As a cybersecurity professional, I am aware of, and possess ability for, many “hacking” techniques that may be used in illegal ways, but I put them to use improving my customers’ security. In other words, I’m much like a locksmith who possesses the ability to pick a lock and uses his knowledge to help as a contributing member of society… In my career, I have held government clearances with the Federal Bureau of Investigation and the United States Department of Energy, which required me to pass multiple lie detector tests, psychological tests, extensive background checks, and other miscellaneous tests.

Battelle's goes even further than this in its complaint, painting Thuen's hacking ability and his "threat" to take his project open source as a danger to national security.

BEA's copyrighted software is called Sophia and protects the United States' energy infrastructure by alerting utility administrators of potential hackers or other threats to the integrity of the nation's energy grid.

Given the nature of Sophia, Defendants' actions have implications for our national security. Defendants know of these implications but have ignored them.

Fortunately, this stretched argument doesn't weigh in the judge's restraining order, but it's still a part of Battelle's complaint against Thuen. This argument is baseless as well, relying heavily on the allegation that Thuen's code is Battelle's code. Theun points out the flaw in Battelle's portrayal of open source code as inherently dangerous.

I disagree with Battelle that security software like Sophia or Visdom cannot be open source because then hackers would have access to the source code. Security systems are better served by being open source so that complicated things, like cryptographic algorithms and implementations, can be reviewed by independent expert auditors rather than sitting behind smoke screens. The plethora of open source software used in secure systems today completely debunks the notion that you cannot have valuable and secure software that is also open source…

In the statements dealing with irreparable harm, Battelle claims it wouldn't be able to compete with Southfork's Visdom if Thuen chose to give it away (earning money from support packages and custom modules). Clearly, Battelle and its lawyers are unaware that top selling programs like Microsoft Office (LibreOffice) and Photoshop (GIMP) compete with fully-featured (and open source) free programs all the time.

There are many more flawed arguments in Battelle's filing, but it appears that both the plaintiff and the presiding judge had just enough knowledge between them to reach a bad conclusion. Thuen's response tackles every accusation from Battelle's complaint, punching some big holes in its filing. Unfortunately, the court decided to handle this ex parte and is only now aware of the weaknesses of Battelle's allegations.

What this looks like is a government contractor hoping to shut down a competitor by deploying two "chilling" favorites: copyright infringement and "threats to national security." It also hurts itself by falling for government FUD -- "open source is dangerous" and "hackers are bad" -- both of which contributed to the general level of failure contained in its complaint.

BEA's copyrighted software is called Sophia and protects the United States' energy infrastructure by alerting utility administrators of potential hackers or other threats to the integrity of the nation's energy grid.

Does that mean there are grid operators stupid enough to put that critical infra structure in contact with the Internet?

Ahem. Other than that it's one epic argumentation there with very proper analogies. I'd go for Visdom after reading this.

regardless of what should have happened and what did happen, surely the two most important things that come out of this nd many similar cases are

a) the judge is a prick who knows absolutely fuck all about the case, but to prevent himself from looking like the prick that he is, he has gone down the road of least resistance and agreed with the other prick, who is shit scared of someone with a better product getting the goods!!

b) even though a person is dead right in what he has been doing and how he has been doing it, he has been royally screwed by someone who is shit scared of losing out to someone with a better product getting the goods, even though he knows full well that there has been absolutely no underhanded goings on!!

as is so usual, the guilty gets the deal because he shouts the loudest (or in this case, went to court while the other guy was away!)

Re:

"Does that mean there are grid operators stupid enough to put that critical infra structure in contact with the Internet?"

Don't forget the government a couple years ago was saying Anonymous could take over the power grid and shut it down at hospitals and such...

My first reaction to that was "who's the dumbass who connected this information to the Internet? He needs to be fired!" It's one thing to be able to read from the system on the internet so you have access to warnings and system information, but to be able to write (or shut off) a critical system, something is wrong.

Re:

I have the feeling that certain critical infrastructure systems are connected to the internet for the purpose of remote administration or monitoring. If a person who needs to have access is on the other side of the planet when you need them to have access, how else do you plan on getting them connected?

Re:

"Does that mean there are grid operators stupid enough to put that critical infra structure in contact with the Internet?"

Generally NO, they don't, but most have the ability for operators to "dial in" and perform operations remotely, or you can go out and buy a VHF radio, and a radio modem, and set yourself up in a car between two nodes, and take over a node and gain access that way.

Seems like Visdom is network analysis software. The author must be a is coding/networking guru, and his ex-employer doesn't want a former employee making a similar product for 1/10th the cost using free as in freedom to use and modify, open-source software.

Claiming national security over network topology software, is absurd. As is the claim that he copied Sofia's coding, line for line, especially if they're different programming languages.

Just another case of a corporation trying to bankrupt a young upstart company, using legal expenses and lawsuits.

CFAA is a trash law written by neanderthal politicians, who view anything more complicated than a typewriter as a possible WMD being launched on their political careers.

Re:

GIMP and LibreOffice DO NOT compete with MS Office or Photoshop, nor are they anything like "fully featured"

Must be a while since you checked out either of those projects. I'm a Graphic Designer and I substitute GIMP for Photoshop all the time. The only thing I find lacking is the inclusion of the Pantone color system which is proprietary in itself.

I haven't touched a MS Office product in years with the exception of people who send me Publisher files. The file format itself is proprietary and usually not even compatible between it's own versions.

Big RED heiring

To talk about the difference between type of source code, and all this "low level and memory management" bullshit.

An application like this one would be written "top-down" where you start with features and functions and 'fill in' the low level functionality.

No you cannot 'cut n paste' but you can duplicate the functionality, and with any decent application development environment, you don't even have to consider much of the 'low level' stuff, the compiler/interpreter does that for you.

You might be able to pull the wool over on some of you less educated, but he knows, and I know he's talking shit.

Re: Big RED heiring

Duplicating the functionality is not a violation of copyright. He admits he's created similar functionality, that's not illegal. If you come at a problem in a different language, the methodology (and therefor the code) you use to recreate that functionality will be different.

Nor is duplicating functionality (with different code) inherently going to expose vulnerabilities in the original. They're written differently and will have different vulnerabilities.

Re: Re:

"If a person who needs to have access is on the other side of the planet when you need them to have access, how else do you plan on getting them connected?"

Why is the person on the other side of the planet required to access the system? Why are they required to do so with such a level of administrative access that the whole system is at risk should someone else gain that access?

Before asking how they are connected, you should ask why. If that answer's not good enough, they shouldn't be connected in the first place.

Re: Re:

I have no idea if the S/W truly creates any problems, but given what Battelle manages on behalf of the DOE, i.e., the Idaho National Laboratory, I believe it is prudent to have this matter reviewed in far greater detail than is typically the case on blogs.

BTW, I do agree that this matter was handled by attorneys and management in a ham fisted way. There are ways to do this without coming off like jack booted thugs.

Re: Re: Re:

Re: Big RED heiring

If you are going to contest the facts, you should at least start with correct spelling... as in a "Big RED herring". The other fact you should start with is that "features and functions" are not copyrightable. The code set down in a fixed form can get a copyright but not the features and functions. Otherwise, there would only be one word processor, one spreadsheet, one accounting program, and so on (they all have the same features and functions in their respective areas). Could you imagine if only one program could have a general ledger function? And, it appears that you are trying to pull the wool over others eyes instead of Thuen. If you had ever written a C program(and more then a "Hello World" program), then his statement about "low level" stuff like memory management is extremely accurate for C language programs. Java, JavaScript and .NET for example implement automatic memory management and garbage collection, but C leaves it all up to the individual programmer. Having been a professional software developer for 30 years and developing programs in each of those languages I can personnaly attest to Thuen's accurracy on this matter.Before you start calling anyone uneducated, you really should get yourself an education and do some fact checking before submitting a rant that demonstrates your lack of said education.

Re: Re: Big RED heiring

"Duplicating the functionality is not a violation of copyright. He admits he's created similar functionality, that's not illegal."

This. 100 times over. Copyright has no place in this unless the code is copy/pasted.

There may be a potential ethics issue, but that should have been stated in any employment hiring documentation by the company. For example, I cannot work on similar work to the projects I work on for my job within 6 months of separation from the company). Since no proof has been presented or complaint made on this, you can't just say that doing something similar is copyright even if you take similar IDEAS. No matter how you look at it, IDEAS aren't (supposed to be) copyrightable, just the IMPLEMENTATION which is the low level coding which is clearly different.

Re: Re: Big RED heiring

"An example for illustration: as part of my work on Sophia, I created a scrollbar from scratch, which means I had to implement the click and drag behavior (along with buttons) that causes a scrollbar to do what the average user expects a scrollbar to do."

That says it all. Every time I see some organization has written its own scrollbar code I know to RUN AWAY FAST! Do you think Batelle got paid to write scrollbar code that already exists? And it is certain that the scrollbars suck compared to professional bars.

Re: Re:

If a person who needs to have access is on the other side of the planet when you need them to have access, how else do you plan on getting them connected?

I know this is hard to believe, but there are readily accessible global communications systems other than the internet.

Hooking these systems up to the internet is not the only option to obtain the desired functionality. It's merely the cheapest and easiest option. For critical systems, though, "cheapest and easiest" is often the wrong answer.

Re:

That struck me, too. Unless they're developing for some incredibly exotic system (in which case, you have to ask why), there are numerous solid utility libraries available for whatever platform you're using. And if that platform is one of the major OS's (Windows, Linux, OS/X, iOS, Android) then the GUI elements are supplied by the OS itself and it is actively counter to good development principles to avoid using them.

Put that red flag together with the other red flag of going nuclear over this guy's project and Sophia sounds like a really badly run software house. I pity the developers working there, not to mention their customers.

Re: Big RED heiring

Re:

GIMP and LibreOffice DO NOT compete with MS Office or Photoshop,

Er... What??? So you think loads of people use LibreOffice and shell out a small fortune for the MS product? Would you care to explain how they don't compete rather than an unsupported sweeping statement?

nor are they anything like "fully featured"

This is true(ish at least), but then many many people in the market for these products don't use and don't/wouldn't miss many of these "features". MS has a long habit of adding pointless "features" to their products to justify the "brand new" version they can charge businesses again for and as for Gimp, well I know since moving to it I miss neither any "extra features" of Photoshop nor the ludicrous amount of resources it needs even to start.

Re: Big RED heiring

Re:

GIMP and LibreOffice DO NOT compete with MS Office or Photoshop, nor are they anything like "fully featured"

They absolutely compete. I can tell that based on the fact that I know a number of people who use them to get real work done, rather than using Office or Photoshop.

As to "fully featured," well, what does "fully featured" actually mean? GIMP has features that Photoshop doesn't and OpenOffice has features that Office doesn't. I guess that means that Office and Photoshop are not "fully featured".

The reality, though, is that the vast majority of features people want are in both the closed and open source products.

Happens more often than you think

Big company "K" gets wind that little guy "V" is developing something that will compete with "K" and wants to shutdown little guy "V". "K" finds a Judge in a backwoods area far away from V's place of business, claims that "V" stole their IP and it is a "emergency" and gets a ex parte judgement to immediately seize the code (prototypes, design docs, etc.). Little guy "V" finds out about it when the clueless local sheriff dept show up with the "experts" and attorneys from "K" to to seize said prototypes, design docs, etc. "K" now has all of "V's" IP and the proof that "V" developed it and .... hungry lawyers on "K's" staff to drag it out for years. "V" cant afford to try to out lawyer "K" and after spending far too much money has to give up and work at the local bakery.

Yea, I was "V" on the west coast and "K" was on the east coast and a subsidiary of the biggest "G" out there; the Judge was in South Carolina. Not bitter ... much ... anymore.

Re: Re: Re:

We are going to see so many examples of old ass technically inept judges in the near future. Its already become and really big problem that you would have someone who cant even work their computer deciding cases about code.

Re: Re: Re:

That. The banking systems is a good example. Even if some criminal can seize control of accounts the basic infra-structure is entirely safe. There are some smart grid options that allow people to control their home electric grids from the distance but it shouldn't be able to mess with basic power plant systems or non-domestic stuff.. If it can then there's a fundamental problem with how it was setup that no amount of legislation can fix.

Re: All code is open

Disassembly and decompilation is only useful for small programs, or small sections of programs. Gaining several thousand lines of code with routine names like 'r1', and variable names like 'i23' does not make the code understandable. This is why JavaScript obfuscators are so popular, they render the source code unreadable.

Maybe I'm missing something here, but what exactly is the point of seizing his computers and issuing a restraining order against him? Since the project is hosted on Github, everything he's done with the project can reasonably be expected to be found there, and there's nothing stopping someone else from forking it and releasing a version.

Re:

Re: Re:

A critical system should only be controllable over a ring back system. Upgrades should only be possible by an on-site engineer so that they are there when it is tested and can recover from any problems due to the upgrade. Further if a remote upgrade is possible then the administrators could wake up one fine morning to a down system, which is responding only to someone else's control.

Re: Re:

Re: Judges

It's not really a judge's job to be an expert in everything. I mean, do you also insist that a judge must be a doctor before hearing health-related cases? They have to take the evidence that's presented to them.

Andreas Schou (who is incidentally a lawyer in Idaho) said that he has a good opinion of this judge, overall. It's just that the lawyers from Battelle misled him about technical details, and also presented "facts" that were not actually true.

Lawyers being misleading is not exactly news. This is supposed to be solved by having two sides to the case, so if one side tries to go full bullshit the other can call them out. Of course this was an ex parte order, which means there was only one side, which means it's open season.

The other issue is factual misrepresentations. Judges do not like being lied to. The lawyers here might get a little slack by claiming "we had no way to know it was already on GitHub", but they also might run afoul of willful blindness or some other bad-faith charge. For example, did they even try to contact Southfork/Thuen before petitioning the court? If so, why wasn't that communication submitted with the complaint?

Re: Re: Re: The Point

Do you really think the judge is going to give two snaps about taking the guy's wife prisoner on her own front lawn?

Yes.

It is bad form to assume the judge is evil because he issued a bad order. Judges follow specific rules about the facts presented to them. In this case, the judge's order was not completely out of line, if you accept the "national security" arguments. And again, we know that those are bullshit, but he did not and cannot assume bad faith.

However, lawyers have an ethical obligation to be truthful (for a certain value of truthful). That's what allows the whole system to work. If a lawyer starts lying to a judge, the judge has incredible powers to make him pay for it.

Re: Re: Re: Re: The Point

the judge's order was not completely out of line

When a judge authorizes taking prisoners and breaking doors to seize items, there's no textual exception for “national security.”

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation…”

Re:

Good comment..Lets ADD..

BASIC security features..BASIC.Those security reasoning that were LEARNED LONG AGO..ASK anyone older then 40..ASK any personal computer user in the past 30 years..What would you do to protect yourself IF' you had the money?

Something I dont think Many of those here see..WOW, insted of having people ONSITE to watch and control..You have some IDIOT in PAKISTAN monitoring your machines??AND we are stilling more and more money for ???

Re: Re: Re: Re: Re: The Point

In a bone fide national security investigation, the probable cause to believe that a crime has been committed, or is being committed, is usually averred by an officer of the United States.

Additionally, bone fide warrants in national security case are usually executed by officers of the United States. You know, the FBI wearing their raid jackets, with the yellow letters saying “FBI” on them—those guys.

I don't believe for an instant that the judge thought he was authorizing the breaking of doors and the taking of prisoners in any kind of bone fide national security case.

Re:

Writing a scroll bar (or any other standard component of pretty much every windowing toolkit ever written in the last 20 years) is a pretty clear sign of insanity.

Writing code in C in the 21st century is approaching insanity. As an expert in C who has written tens of thousands of lines of code for embedded systems and PC applications, the only legit reasons I can think of for still writing in C is a) target system has less than 2MB of RAM or b) it fits in with other archaic corporate practices of carving office memos in clay tablets, offering sacrifices to the gods before business meetings and providing official company water jugs so that employees can wash their hand off after they take a shit in the field out back.

If it has a scroll bar it seems unlikely to be a payload or actual gaffe code... so WTF were they thinking?

Sounds to me like they've still has at least one foot the 1970's, like many large corporations.

Anyone thinking about engaging a security consultant should definitely consider the former employee over the company he used to work for! At least he used modern tools!

Re: Re: Re: LAB and other color spaces

Re: 4th Amendment

You realize there are already tons of exceptions to the 4th Amendment? I mean, try crossing a border some time. (Note that being within 100 miles of a border counts.)

Also, the judge did not authorize taking prisoners. It's unclear exactly what "held" means in this context, but if you bother to read the order there is no mention of imprisoning anyone. Nor was Thuen's property permanently seized; the order was for them to take his computer, copy it, and then immediately give it back. And despite Andreas' language, I don't think they actually broke down his door. (I could be wrong about that, I should ask him.)

The order was bad, and both the judge and lawyers are (hopefully) going to be held responsible. But don't try to make up evils; if you start lying about what happened, you're no better than the idiot lawyers who started this whole mess.

Re: ECA

To the Honorable Mr. ECA,

I am pleased to see that you share a common viewpoint with myself, and indeed with the editors of this site and the majority of its readers. It is always pleasant to have another voice in the fight against overreaching copyright law and innovation-stifling legal threats.

Quick, get Visdom at Git

Re: At what point do blatantly incorrect filings become perjury?

It would seem to me that with a good lawyer he stands to make BEA pay our a fairly large settlement for their behavior on this. Or am I missing something?

Yes, appeals of every decision that goes against the big company, and every tactic available to the lawyers to extend the the time the case takes. In other words the corporations will make the case too expensive for an individual to win, unless they can get a pro-bono lawyer to act for them.

Re: Blatantly incorrect filings

My understanding is that you usually have to show subjective bad faith to get someone for perjury in cases like this. That's basically impossible unless you can find documents that show the lawyers discussing how they're going to lie to the court. I'm sure there's also a possibility to show complete gross incompetence, but that's probably even harder to stick.

IANAL, but I suspect that the "information and belief" line sets a low bar for how accurate the claims have to be. That is, if the lawyers can keep a straight face while claiming that they didn't realize the source code was on GitHub, they might be able to avoid misconduct charges. (It's entirely possible that they really didn't realize this; I'm more inclined to believe incompetence on their part than pointless malice.)

That said, Battelle probably isn't getting their bond money back and may end up owing Southfork/Thuen attorney's fees, if not actual damages.

Re: Re: Re: 4th Amendment

You don't think “being detained” is anything serious.

Be fair. I didn't see anything in the news reports that indicated that she was detained. What I saw was that she was intimidated by some asshole lawyers. She could have left at any time she wanted to. She also could have told them to leave her property and call the cops when they didn't.

Re: I need your INPUT..

WHO here knows/understands BASIC SECURITY in programming??STUFF learned over the last 30+ years?

Since I do this professionally, with nearly 30 years of experience, I suppose I qualify. However, for the life of me, I don't know know what you're asking.

If you just want to understand the essentials for writing secure software, you're in luck. There are tons of tutorials and basic information all over the net, and it all essentially boils down to one basic piece of advice: do not trust any data that has been exposed to the outside world.

Re:

So far that appears to be an unfair characterization of the judge. After all, the judge only heard ONE side and based on what was presented to him, it seemed reasonable even if it was as far disconnected from the truth as it was. What remains to be seen is how the judge reacts to the the truth when it is presented before him.

Re: Re: Re: Re: Re: 4th Amendment

Yes, I know it said that. I was talking about being legally detained, not just being barked orders by random assholes.

Nothing in the story indicates that she was physically restrained. It is more likely that she was simply told not to leave or enter the house. That is not being detained, that is being intimidated. She should have ignored them totally. If they laid a finger on her, she could then charge them with one or more of the laws meant to handle this kind of thing: battery, illegal detention, etc.

Re: Re:

Ever consider that the decision to develop it entirely from scratch may have been made from the higher ups and not the developers themselves possibly because they believed that if they did it that way it would be entirely theirs to control?

Re: Re: All code is open

Yes, I have. I regularly hack at the game Left 4 Dead 2. Not sure it's a million lines, but it's based on the Source engine, so it's not some small, trivial application.

Yes, it is hard.

No, it is not impossible. People do it all the time. Sure, it requires a certain set of skills that most people don't have, and a certain amount of dedication. So does flying an airplane.

It's a lot like the Matrix. Once you know what it all means, you don't see numbers and letters anymore. You see a global variable holding the private key for the KeyBLOB being passed into the CryptImportKey Win32 API.

Re: Re: All code is open

Incorrect. I have disassembled many commercial games, in fact I have a particular fancy for Wii games because the PowerPC assembly code is very easy on the eyes (x86 makes my eyes bleed, lol). That was pure disassembly, didn't involve any decompiling at all. I had a lot of fun hacking games to do all kinds of stuff - I made a code for Super Mario Galaxy 2 that stores your current location and allows you to teleport to the stored location; it also allows you to levitate, including through walls. Search here http://www.geckocodes.org/index.php?c=SB4E01 for "Multi-Teleporter with Levitation"

While names like r1 and i23 don't necessarily mean a whole lot...that's why you look at the code, figure out what it's doing, what variable is being passed to what function as what argument of the call, look at the function to see what that variable is. That's why you set read and write breakpoints. That's why you get a disassembler that can fill in the names of function calls like __imp_EnterCriticalSection.

Saying that obfuscation or assembly renders code unreadable is like saying RSA cannot be broken. It shows a lack of understanding. RSA *can* be broken, and in fact Team Twiizers broke RSA on the Wii (thanks to Nintendo's failed implementation - good job guys, checking binary values with a strcmp...)

Re: Re: Re: 4th Amendment

No, I was giving a well-known example of an exception to the 4th Amendment. I apologize for not being clear about that.

You don't think “being detained” is anything serious.

I'm sorry if I gave that impression, because that is not at all true. I think being detained is a very serious thing. I just don't think illegal detention plays a part in this story.

Full disclosure: I am one of the people who submitted this story. (I suspect someone else did a better write-up, since I sent in the link with this account.) I know Andreas Schou, and I have access to other information from his perspective. (beyond what is publicly posted).

So with that said, no one involved in the story is claiming that the judge acted unconstitutionally, or that the order was in any way illegal. It was wrong, it was based on misleading and/or false information, and I very much hope that Corey Thuen is justly compensated for his trouble. But it was not illegal.

As for how the judge is going to play it, I'll defer to the original G+ thread:

Andreas Schou Oct 17, 2013

I've known Judge Winmill since I was a kid; his daughter was in the class right below mine. And I've never heard anyone in the Idaho bar say a negative word about him.

I think he may have just got rolled here on a technical issue (and a term of art, 'hacker,' which has negative implications to laypeople) which was not adequately explained to him.﻿

Re: Re: Re: Blatantly incorrect filings

It's pointless if they end up causing a big PR mess, losing the case, and having to pay fees and damages to Mr. Thuen. If the lawyers knew the code was already on GitHub, they would not have filed for the restraining order; they'd have gone straight to the jury trial. That's where the real pain is anyway.

Re: Re: All code is open

Most JavaScript "obfuscators" aren't really used to obfuscate for security anyway. They are compactors that reduce file size and increase performance. Many libraries are available in long and compacted form. Compacted for people that just want to use it as is. Long form for people who want to customize it to make it work a little differently for their own specific purposes.

Re: Re: Re: Re: 4th Amendment

Don't you find it odd though that the lawyers went to the court and argued that a rare ex parte injunction was necessary, got the order and then chose to try to enforce the injunction themselves instead of taking the court order to law enforcement and requesting their assistance in retrieving the copy that it said they were entitled to? Even if she wasn't physically restrained. Threatening her on the premises of her own domicile and attempting to prohibit her from entering her own home is not something they should be allowed to do without the assistance of law enforcement. You honestly don't think the fact that they handled it in the manner that they did is an important aspect to the case?

Re: Re: Blatantly incorrect filings

I'm inclined to agree with you about the perjury thing. I suspect that Battelle saw the withdraw of the bid, found that it was because of a competing product made by the former employee filled in the rest with assumptions and took that narrative to lawyers that ran with it without digging any further. That isn't lying. That is taking a limited set of facts and presenting them the way you interpreted them. However, the fact that they didn't request law enforcement assistance in executing the court order and instead chose to execute it themselves in a ham fisted manner, that is a little more troublesome and I think will probably be something the judge will not be happy about.

Deja vu...

- Thuen worked on Sophia and had access to the code.- Visdom's name is remarkably similar to Sophia. (The short version: Sophia is the goddess of wisdom. Wisdom/VISDOM.)- There's no way Thuen could have come up with his own program in such a short period of time without copying substantial amounts of Sophia's code.

Re: Re: I need your INPUT..

If I read that story correctly, Batelle is in a whole lot more trouble than at first glance. Serving a warrant or subpoena by private individuals in this manner amounts to burglary, grand theft, and kidnapping (restraining his wife). I hope the victims file charges against the idiots that pulled this crap.

Re: Re:

the only legit reasons I can think of for still writing in C is a) target system has less than 2MB of RAM or b) it fits in with other archaic corporate practices

That's not true. There are other reasons, such as more direct access to the hardware layer (drivers, embedded systems). Or when garbage collection causes problems, and you want to manage memory yourself (audio, games).

Re: Re: Big RED heiring

I agree, but I did not say it was a breach, I said this bullshit about it being different type of code means its a copy of the functionality/features, and yes copying functionality and features, COPYING the APPLICATION certainly could fall under copyright.

If it is a "functional exact copy" there is potential for copyright issues.Does not matter what the underlying code is or looks like, if it looks the same, acts the same, and is based on the same concepts it's a copy.

But saying 'its different code', but DOES EXACTLY THE SAME THINGS, LOOKS the SAME, and is clearly "based, stolen, copied, lifted, cloned" to look and act just like what he was doing elsewhere, there is a VERY STRONG legal case that it is a copy, or forgery.

That has nothing to do with using Java or C, again I call bullshit on that one.

Re: Re:

A feature of MS Office for example, is that it used ubiquitously by business and personal use, that is a 'feature' as is being supported by a stable and professional company, that is a 'feature' LibreOffice does not have, that is a VERY IMPORTANT feature.

Re: Re:

Also operational viability, some systems don't operate on the minute/hour they have to be realtime that means milliseconds, although you could use a human proxy for security it could hurt other areas like productivity and quality of service.

Re: Re: Re: Re: Re:

Re: Re: Re:

Meh. Garbage collection problems are mostly a thing of the past. Most modern JVMs configurable have configurable GC. Have a look at JRockit for example. If you still have GC issues with something like that then it's a design problem, not a language problem.

Heck, these days just dedicate a core to nothing but memory management, you'll probably still have plenty left to run the app.

It's really hard for me to imagine a valid reason for using C on anything other than a micro-controller. Glue a USB connector to it and write the rest of whatever it is in a real language, throw a few more cores at it, add a few more nodes to the cluster... spend an extra $10,000 on the hardware and save a $1,000,000 in wasted development effort, missed business opportunities and maintenance nightmares.

In any case, Batelle sounds exceptionally backwards to me, in technology as well as in their morals and ethics. Certainly changes my opinion when I hear the company name.

Re: Re: Re: Re: Big RED heiring

you "implement" a feature or function, it has nothing to the low level code, but everything to do with the function, look and "idea" behind that implementation.

Are you mixing copyright with patents?

Copyright protect specific forms of expression not the expression itself, meaning it doesn't protect function neither ideas but only looks behind any implementation.

Doubt look it up the law and caselaw Mr.

Reallife example:Game producer can copy each other game mechanics exactly and they can't be stopped from doing so, but if they use graphical assets they are infringing copyrights.

Patents on the other hand are there to protect functionality and even then it is supposedly only to be applied to specific implementations of it.

But in specific this was filed as a copyright claim, a bogus copyright claim by the way.

Which the plaintiff could have easily have checked if there has occurred any breach of copyright by just looking at the code released in a public space. So the counsel for plaintiff's is incompetent, cheep, malicious or all.

Re: Re: Re: Re: Big RED heiring

Let me fix that for ya.

Copying a one dollar bill using a photocopy(copy & paste equivalent) is illegal, making your own fantasy money bill with readily available materials copying certain aspects off of it (e.g. form of the note) is not.

Re: Re: Re: Big RED heiring

If it is a "functional exact copy" there is potential for copyright issues.Does not matter what the underlying code is or looks like, if it looks the same, acts the same, and is based on the same concepts it's a copy.

You're partially right. If it LOOKS the same, there might be an issue with copyright. You can certainly have copyright in the UI distinct from your copyright in the code - if I go and write an EXACT copy of Microsoft Word with every menu option in the same place and every color the same, I would be infringing even if my code was different. But having the same functionality is not an issue. Functionality is not copyrightable, no matter how much you want it to be. I could write a program that does 100% of what Word does and I would be fine as long as I didn't copy the layout.

In this case, the scrollbar issue alone tells me that the UI was not copied. They wouldn't bother making their own scrollbar unless it looked or acted in some nonstandard way - otherwise they'd obviously use the standard scrollbar.

FURTHERMORE, they had not even SEEN the code OR the software yet (assuming they hadn't seen what was on GitHub - if they knew about that, they are in big trouble, because the code being available means there was no reason for the seizure.) So how could they possibly know it's infringing with enough certainty to start seizing the guy's computers before letting him even attempt to defend himself?

And saying it's a "forgery" is totally bogus. That would mean they were taking their own code and trying to pass it off as written by somebody else! Do you even know what the words mean that you are using?

Re: Re: Re: Re: Big RED herring (fixed)

I don't know what kind of background you have (maybe you are a former fine arts student in some area of esoteric literature), but you obviously know nothing of computer programming, engineering or other technical fields.

You seemed to have strung a strange set of misconstrued and misunderstood ideas to come up with both of your comments.

When you have had 30 or more years in a technical field come back and make your arguments. Otherwise, stop making comments that show you are a folly-filled fool.

Re: Re: Re: Re:

WTF are you on about? I say that you shouldn't be giving someone on the other side of the planet complete access to systems without good reason, and you use that to attack me for ripping off customers in a company? Plus, you assumed that means that only one person can possibly have access?

Re: Re: Re:

USE those products, then YOU TELL ME !!!!

I use both Office and OpenOffice, and I use GIMP, professionally. Let's focus on Office, as that's what I know best. Both Office and OO have 99% of the same features. Where there's a difference, it's mostly features that OO has that Office doesn't.

So what's your point?

A feature of MS Office for example, is that it used ubiquitously by business and personal use, that is a 'feature' as is being supported by a stable and professional company

Being used ubiquitously is unimportant as long as you can use the same files in both products. Which you can. As to support, I call BS. Have you actually used the "support" Microsoft offers for Office? I have. I can resolve my problems faster and easier with OpenOffice, and I don't have to go through the agony of calling a support line.

However, if you really want Microsoft-style support for LibreOffice, OpenOffice, et. al, you can get that, too, through your choice of commercial support operations. SO, it's not really a feature unique to Office.

Re: Re: Re: Re: All code is open

No way is optimized PPC as bad as x86.

For one, PPC has a TON of registers, x86 only has a few. PPC almost always passes arguments and return values via the same registers, x86 can sometimes use registers and sometimes the stack. PPC has three operand op codes, so destination can be a separate register, x86 has two operand op codes, so destination is one of the source registers. PPC is RISC, x86 is CISC. PPC uses "normal" registers for floating point operations, x86 uses a stack.

I would rather read optimized PPC than unoptimized x86 any day of the week.

Countersue Countersue Countersue

Battelle appears to have illegally and fraudelently misused the courts to suppress one citizens free speech, all seemingly at felony levels. We have the free speech right to write and publish software at will, barring actual illegal acts. Battelle clearly failed in due dilligence in compiling their complaint, made numerous fraudulent claims, and even Falsely Imprisioned wife while calling sheriff. Countersue for billions on each count, and refuse NDA so to maximize Battelle embarassment through full public disclosure. LOL.

Re: Re: Re: Re:

It's my experience that people who make those sorts of anti-FOSS arguments fall in a number of camps. One is that they're not up-to-date. A lot of the arguments made might have applied to Linux 5 years ago or to OpenOffice 1.0 (perhaps the last time they tried them) but not now.

Another is over-dependence on niche features. For example, some people *do* have a legitimate reason not to be able to consider a competitor to MS Office such as advanced collaboration functionality that's unique to MS. But those people often don't understand that most people don't ever touch those features, and that the features that are used by most people are supported equally in competing programs. Like it or not, even Google Docs gives a large number of people the complete feature set they actually use.

Another is a lack of awareness of the nature and history of the marketplace. AC above, for example, gives MS Office's ubiquity as a selling point but fails to realise both the shady practices that led to that ubiquity and the fact that those who have stuck with MS have done so due to lack of need to consider alternative (e.g. they're still happy with the features of Office 2003 so why move?). Over time, more of those people will move, and if they stick with MS it's more due to a familiar brand rather than an actual evaluation of features and support. Finally, they also base their ideas on assumptions rather than reality - for example, because they didn't pay for support packages if they tried FOSS in the past, they assume that nobody has professional support.

So, they end up is this fantasyland where the only "usable" software is the big name brands and nobody can possibly be happy with FOSS and other alternatives.

Another thing to consider is the fact that copyright only applies to one given realization of the code, which was written in C, and used hand written library functions unique to the program. Southfork may have, in fact, used the Batelle's specification for the program, but rewrote it in another language, using open-source libraries, in an essentially "clean room" operation. None of the resulting bits or source could be compared in any way to the Batelle original

Re: Re: Re: Re: Big RED heiring

Because you used a photocopier, and not a printing press are you innocent of forgery ?

Actually, yes you are. Guilty of copyright infringement possibly, but not of forgery unless you try and pass off the copied note as a real one.There was a case a number of years ago where an artist was drawing money and selling it as art. The mint tried to prosecute her for forgery but couldn't make it stick because she wasn't claiming it was a real bank note. That case is where the mint started claiming copyright over currency.